Some notes on changing and checking bind DNS entries
Posted by jpluimers on 2023/01/09
DNS isn’t based on propagation, but on (cache) expiry. Which means it is all about TTL (Time to Live), and since humans are bad at coping with caching (remember the post There are 2 hard problems in computer science: cache invalidation, naming things, and off-by-1 errors?), I needed some DNS refresh.
The time values in seconds of SOA (Start of Authority) and TTL record entries are always a pain, so hopefully this helps some:
- TTL values are decimal integers specifying seconds.
- [Wayback/Archive] TTL Calculator allows you to get readable values for the DNS TLL that mostly is specified in sections (which is a great unit of time, just a bit tedious for humans to comprehend larger values of)
- The SOA time values usually are kind of moot except for the final value, which is the negative answer time out if it is smaller than the default TTL.
- The last bit is explained by [Wayback/Archive] htaccess in detail in [Wayback/Archive] domain name system – How long does negative DNS caching typically last? – Server Fault and shortly in a comment to [Wayback/Archive] domain name system – Recommended DNS SOA record TTL default? – Server Fault
Note that the “default TTL” value is only used for the negative caching TTL if it is less than the TTL of the SOA record itself. See
5 - Caching Negative Answersof the referenced RFC for details. - The first bit is explained by [Wayback/Archive] Alnitak in [Wayback/Archive] domain name system – Recommended DNS SOA record TTL default? – Server Fault:
All of those settings (except for “default TTL”) only affect how frequently your domain’s secondary DNS servers poll the primary DNS server for updates.…Typically the primary should send aNOTIFYmessage to each of the secondaries whenever there’s an update at which point the secondaries grab the zone file immediately. These days the “refresh / retry / expire” mechanism is only a backstop to that.
- The last bit is explained by [Wayback/Archive] htaccess in detail in [Wayback/Archive] domain name system – How long does negative DNS caching typically last? – Server Fault and shortly in a comment to [Wayback/Archive] domain name system – Recommended DNS SOA record TTL default? – Server Fault
Some TTL recommendations of the DNS SOA record via [Wayback/Archive] dns soa ttl best practice – Google Search and [Wayback/Archive] dns recommended ttl values – Google Search:
- [Wayback/Archive.is] domain name system – Recommended DNS SOA record TTL default? – Server Fault question by [Wayback/Archive] Geoff Dalgas:
We currently have our DNS SOA record set to the following for stackoverflow.com:primary name server = ns1.p19.dynect.net serial = 2009090909 refresh = 3600 (1 hour) retry = 600 (10 mins) expire = 604800 (7 days) default TTL = 60 (1 min)Are there better choices for our refresh / retry / expire / default TTL for a site like stackoverflow.com which receives close to 1M pageviews per day? - [Wayback/Archive] Best practices for using TTL –
Generally, we recommend a TTL of 24 hours (86,400 seconds). However, if you are planning to make DNS changes, you should lower the TTL to 5 minutes (300 seconds) at least 24 hours in advance of making the changes. After the changes are made, increase the TTL back to 24 hours.
- [Wayback/Archive] How to Choose DNS TTL Values | RIPE Labs
- [Wayback/Archive] What is DNS TTL + Best Practices | Varonis
- [Wayback/Archive] dns recommended ttl values – Google Search
I’d rather have a good route for unplanned DNS changes (as in the past, quite a few were about those), so I settled for 3600 seconds (1 hour), but might go down to 600 seconds (10 minutes).
Checking DNS entries
- From the *nix console, if you have Bind DNS installed,
- remember that when specifying full domain names, they usually need to end in a terminating
.(forroot), linewww.pluimers.com. - for checking before reloading, the [Wayback/Archive]
named-checkzonecommand can be used, for instancenamed-checkzone pluimers.com /var/lib/named/master/pluimers.comornamed-checkzone pluimers.com /var/lib/named/slave/pluimers.com, - after editing the zone, you can either restart named, or run
rndc reloadto reload the zone locally on the primary DNS name server and potentially notify secondary DNS name servers to renew their copy so become synced, - for checking after reloading, the
digcommand can be used, but the syntax of it can be tricky; I usually try eitherdig +noall +answer +multiline ANY pluimers.com @localhostordig +noall +answer +multiline AXFR pluimers.com @localhostA nice overview of usefuldigcommands is at [Wayback/Archive] 10 Most used DIG commands – ClouDNS Blog, - if secondary servers to not update, you can try
rndc retransfer domain.com, but usually it means something is wrong in the communication between the servers.
- remember that when specifying full domain names, they usually need to end in a terminating
- [Wayback/Archive] DNS Lookup – Check DNS Records of Domain can verify any type of DNS records on any DNS name server that is accessible from the internet from both the main page and detail pages for the various DNS record types These I use most:
- [Wayback/Archive] A Record Lookup – Check DNS IPv4 Records of Domain
- [Wayback/Archive] TXT Lookup – Check DNS TXT Records of Domain
- [Wayback/Archive] CNAME Lookup – Check DNS CNAME Record of Domain
- [Wayback/Archive] AAAA Lookup – Check DNS IPv6 Records of Domain
- [Wayback/Archive] MX Lookup – Check DNS MX Records of Domain
- [Wayback/Archive] SOA Lookup – Check DNS SOA Records of Domain
Note that the main page not only lists all DNS record types, but also has good links to their documentation. Recommended if you bump into issues and need more background information.
- [Wayback/Archive] Simple DNS Plus – Tools and add-ons has some more DNS testing pages
- [Wayback/Archive] Simple DNS Plus – Remote DNS look up is like the above one page lookup, and has the added benefit of defaulting to your WAN IP address (either IPv4 or IPv6) as name server (which often is the case)
- [Wayback/Archive] Trace DNS Delegation shows the full trace from the DNS root name servers down to one of the authoritative DNS name servers for the underlying domain
- [Wayback/Archive] Simple DNS Plus – IDN Conversion Tool converts back and forth between native and punycode characters, which is great when domain names contain emoji or other non-ASCII characters
- Some nice Q&A:
- [Wayback/Archive] internal dns – List all DNS records in a domain using dig? – Server Fault
- [Wayback/Archive] domain name system – DNS: How to find out which software a remote DNS server is running – Server Fault
- which got me to [Wayback/Archive] kirei/fpdns: Net: :Fingerprint
- [Wayback/Archive] Bind, force zone update on slave – Server Fault
Changing DNS entries
Some information on the DNS “master” files (which contain the RR or “resource records”) from [Wayback/Archive.is] RFC1035: domain names – implementation and specification and [Wayback/Archive] RFC2308: Negative Caching of DNS Queries (DNS NCACHE), as keep forgetting them.
Both RFCs together specify that these line entries are defined (i.e. can be valid):
<blank>[<comment>] $ORIGIN <domain-name> [<comment>] $INCLUDE <file-name> [<domain-name>] [<comment>] <domain-name><rr> [<comment>] <blank><rr> [<comment>]
and that these are the valid <rr> or resource record formats:
[<TTL>] [<class>] <type> <RDATA> [<class>] [<TTL>] <type> <RDATA>
If you do a DNS zone transfer – Wikipedia (often abbreviated to the DNS query type AXFR), then these entries always are single line with fields expanded, with each always having an absolute <domain name> entry ending in a dot (.), and read like this:
<domain name> TTL <class> <type> <RDATA>
From the specific RFCs:
- RFC 1035 section 3.2.4: CLASS values
- The
INis sort of mandatory class, and means “1 the Internet” (still seldom in use isCH, which stands forCH 3 the CHAOS class). INis also the default and can be ommited according to [Wayback/Archive.is] Sandman4 in [Wayback/Archive] domain name system – BIND/DNS Zone meaning of “IN” – Server Fault:
if class is not explicitly specified, the default “IN” is used.
- The
- RFC 1035 section 5.1: master files – format
- White space to separate items on a line can be spaces or tabs
- Comments start with semi-colon (
;), which means that hashes (#) or double-slashes (//) won’t work and are syntax errors (the above mentioned toolnamed-checkzonecan help you figure out those syntax errors). - There are line entries for blank,
$ORIGIN,$INCLUDE, and resource record. - A line entry starting with
$ORIGINdefines the current origin to be used from then on. Without such entry, he default origin can be defined through a parameter when loading the master file (see the Zone file: localhost example file) - Resource record line entries can start with:
@to use the current origin as domain name.- a specified
<domain-name>to denote the domain name to be used - no
<domain-name>indicating the previous domain name to be used
- A
<domain-name>can be absolute ending in a dot (.)), or relative (in which case the origin is appended). - No
<TTL>or no<class>value means to use the previous TTL or class values to be used. - One resource record entry per line, unless you put parenthesis, then you can wrap it over multiple lines, which can be convenient for SOA record like this:
@ IN SOA ns1.4delphi.com. hostmaster.4delphi.com. ( 2021112201 ; serial 3600 ; refresh every 1 hour 120 ; retry every 2 minutes 1209600 ; expire in 2 weeks 10800 ; now is 3 hours (see RFC2308) used to be 2 days: 172800 ; default_ttl )
- RFC2308 section 4: SOA Minimum Field
- The
$TTLline entry defining the default TTL to be used from then on (similar to$ORIGIN)
- The
There is more (like encoding of domain names, more resource record types, and domain name length limitations), but those go beyond this blog post.
Examples on Wikipedia
Zone file: Example file is great:
$ORIGIN example.com. ; designates the start of this zone file in the namespace
$TTL 3600 ; default expiration time (in seconds) of all RRs without their own TTL value
example.com. IN SOA ns.example.com. username.example.com. ( 2020091025 7200 3600 1209600 3600 )
example.com. IN NS ns ; ns.example.com is a nameserver for example.com
example.com. IN NS ns.somewhere.example. ; ns.somewhere.example is a backup nameserver for example.com
example.com. IN MX 10 mail.example.com. ; mail.example.com is the mailserver for example.com
@ IN MX 20 mail2.example.com. ; equivalent to above line, "@" represents zone origin
@ IN MX 50 mail3 ; equivalent to above line, but using a relative host name
example.com. IN A 192.0.2.1 ; IPv4 address for example.com
IN AAAA 2001:db8:10::1 ; IPv6 address for example.com
ns IN A 192.0.2.2 ; IPv4 address for ns.example.com
IN AAAA 2001:db8:10::2 ; IPv6 address for ns.example.com
www IN CNAME example.com. ; www.example.com is an alias for example.com
wwwtest IN CNAME www ; wwwtest.example.com is another alias for www.example.com
mail IN A 192.0.2.3 ; IPv4 address for mail.example.com
mail2 IN A 192.0.2.4 ; IPv4 address for mail2.example.com
mail3 IN A 192.0.2.5 ; IPv4 address for mail3.example.com
as well as the examples at Zone file: Localhost:
An example for manual configuration of the forward zone for localhost is the following:
$ORIGIN localhost. @ 86400 IN SOA @ root ( 1999010100 ; serial 10800 ; refresh (3 hours) 900 ; retry (15 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) @ 86400 IN NS @ @ 86400 IN A 127.0.0.1 @ 86400 IN AAAA ::1The corresponding reverse zone definition is:
;; reverse zone file for 127.0.0.1 and ::1 $TTL 1814400 ; 3 weeks @ 1814400 IN SOA localhost. root.localhost. ( 1999010100 ; serial 10800 ; refresh (3 hours) 900 ; retry (15 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) @ 1814400 IN NS localhost. 1 1814400 IN PTR localhost.This file does not specify the origin so that it may be used for both IPv4 and IPv6 with this configuration:
zone "0.0.127.in-addr.arpa" IN { type master; file "r.local"; }; zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "r.local"; };Similar zone master files may be created for the reverse resolution of the broadcast address and the null address. Such zone files prevent a DNS server from referring to other, possibly external DNS servers.
Related
OpenSuSE: the relation between /etc/var/named.d and /var/lib/named
—jeroen
The Wiert Corner - irregular stream of stuff 
Leave a Reply